Apple Pay has arrived: A payment app with a future

This blog post is contributed by Moya Brannan, a Software Architect in the Financial Services Sector.

So here it is: Apple Pay! Launched in October 2014, Apple Pay looks like a grown up and full-fledged payment app that will let you shop till you drop. You can use it for shopping or to buy your morning coffee; so long as there is a near field communication (NFC) reader, you’re good to go with the Apple Pay app and your fingerprint. You can also use Apple Pay when purchasing items from other apps on your iPhone or Apple Watch.

So how does it work? Is it safe? What is the mechanism behind it? And is there an Android alternative out there?

How does it work?

Like most things Apple, Apple Pay seems straightforward, intuitive and easy to use; if you have an iTunes account you can use your already registered debit and credit cards or you can add card details to the app. None of these details are stored on the phone, but we will talk more about that later.

When you want to buy something, you put your iPhone 6, iPhone 6 Plus or Apple Watch over the card reader (just like using payWave). A message pops up on your mobile device’s screen, you select which card you want to pay with and, finally, you confirm the purchase using your fingerprint on the "Touch ID" button on the iPhone or by pressing a key on the Apple Watch.

You can also use Apple Pay to confirm purchases in other apps on your iPhone. This too seems simple: when you select to pay, Apple Pay will appear as a payment option, and again you confirm your purchase using your fingerprint on the Touch ID.

Is it safe?

Safety is probably people’s biggest concern in moving to a new method of spending. No one wants to lose money or have their accounts compromised, so what has Apple done to make Apple Pay safe?

First, none of your account data is stored on the phone, so if the device is lost no one can look at the device’s secure element and get your banking details. Each payment uses a single-use, tokenized identifier along with your fingerprint, which the processing companies, such as American Express, MasterCard and Visa, link back to your card.

So suppose someone takes your phone and tries to go on a shopping spree. They might be able to get the reader to talk to your phone, but without your fingerprint they cannot confirm that payment.

What is the mechanism behind Apple Pay?

There are a couple of methods for making mobile payments. One is to use the secure element in the phone, and the other is Host Card Emulation.

Apple is using the secure element method and has even created its own single chip element on your phone; it’s known as the S1 SiP (system in package). The S1 SiP holds your encrypted and unique device account number that is used as part of the Apple Pay transactions. This is not your bank account number.

Apple actually doesn’t need to store bank details, so your bank information is not shared with the merchants you are shopping with, nor is it sent with the payment messages to the processing companies. Instead the token is used for all of these.

Is there an Android alternative out there?

Of course there is an Android alternative out there. Traditionally, Android-based mobile payment systems such as Google Wallet used a phone’s secure element; this had limitations since the card details would therefore need to be stored on that device. However, on the Android platform, apps such as Google Wallet and many other Wallet providers have moved to Host Cloud Emulation (HCE)—an open source specification. HCE removes the card details from the phone and stores those details in a version of a secure element on the cloud. It’s a good model, but your actual bank details are held in the cloud, which could still be a potential risk.

The future looks bright as the processing companies move toward introducing tokenization. This will mean that the HCE method could hold a token on the cloud rather than your bank details; this provides a much stronger security model.

We’ll see where mobile payments go

I think mobile payments are overdue! My mobile contract is up for renewal in a few weeks, and I am tempted to switch back to Apple so I can use Apple Pay; however, I will have to wait a while as the payment service is not yet available in the UK. I can also see myself using the Apple Watch—it seems to have everything I need in one clever wearable device.

And please let me know what you think. Would you feel safe using Apple Pay? Would it make your life easier having a payment app on your mobile device? Would you leave your wallet at home? Leave a comment below or connect with me on LinkedIn or Twitter.